California Privacy Law Targets Data Sharing

The legislation, which takes effect Jan. 1, requires businesses to tell consumers what companies they share data with or provide an opt-out option.

Starting Jan. 1, companies outside the financial-services sector that do business in California, online or offline, and disclose customer information to third parties will face new compliance obligations under the state's information-sharing disclosure law, SB 27.

The law requires that, in response to customer requests, businesses must provide details about the type of personal information they share with other businesses, along with the names and addresses of companies with whom the information is being shared. Alternately, a business may provide a privacy statement that offers customers a cost-free means to opt out of a businesses' information-sharing activities. Financial-services companies aren't covered by the law because of difficulties with regulating that industry.

The law aims to give consumers more insight about companies that sell information about them and what's being sold. In practice, however, it may accomplish little more than to reinforce the need for marketers to follow fair-information practices.

"SB27 is an either/or law," says Elise Berkower, senior compliance officer at DoubleClick Inc., a service and technology provider for marketers. "Either you have to have what I call a mini-FOIA [ Freedom of Information Act] department within your retail establishment. Or you need to offer your consumers the ability to opt-out or opt-in."

The opt-out alternative to the disclosure requirement was added thanks to marketing industry lobbying, the result of concerns that implementing a disclosure system would prove costly. According to a spokesman for the Direct Marketing Association, some 95% of the organization's members already are in compliance because they offer a means for customers to opt out of marketing lists.

Berkower says DoubleClick's clients notify consumers about information-sharing activities and offer the option to opt-out. But they might be concerned about the cost of providing consumers with detailed information about the companies with whom they share data.

While the law's impact might be limited by the opt-out alternative, Alan Chapell, president of privacy and data collection consultancy Chapell & Associates, notes that it should narrow the discrepancy in data-sharing standards between the online world and mail-order marketing. Most privacy legislation on the books applies specifically to online commerce.

It also should reinforce the need to adhere to fair-information practices. "Long term, I see it as a very positive thing," Chapell says. Historically, the direct-marketing industry has lacked transparency, he says. "When people don't know what's happening with their data, they assume the worst."

That's ancient history, says Bennie Smith, chief privacy officer at DoubleClick. His clients value transparency, he says. "If data is the fuel that runs the business, then trust is the lubricant that keeps the gears moving," he says.

Ironically, businesses are beginning to assume the worst about legislation coming out of California. The actions of legislators in the world's fifth-largest economy and most-populous state in the U.S. are proving worrisome to businesses that face privacy issues.

It's gotten to the point that businesses, reflexively averse to legislation, actually welcome federal laws as a means of repairing aggressive state statutes. Jennifer Barrett, chief privacy officer at marketing-information-management company Acxiom Corp., points to the CAN-Spam Act of 2003, which came about as a result of E-mail legislation in California that she says would have been totally unworkable.

"There's a high level of frustration throughout the business community with privacy legislation initiated at the state level," she says, noting that the industry favors federal rules for the sake of simplicity. Complying with different privacy laws in a dozen or more states would be nearly impossible, she says.

"Having anything less than a national standard, especially as it applies to the online world, is very, very difficult," says a spokesman for the Direct Marketing Association. "The Internet just doesn't respect state borders or even national borders."

"California has been very active in the privacy legislation arena for the past several years," acknowledges Joanne McNabb, chief of California's Office of Privacy Protection, a government agency charged with identifying privacy problems and encouraging fair-information practices.

She contends the business community isn't left out of the loop, as some companies suggest. "We work with the business community and privacy advocates on developing some best-practice documents, in relation to some of the California privacy laws," she says, "and we're working on one on SB 27 right now."

"When an industry demands uniform federal laws, what they usually mean is they want uniformly greater freedom for themselves, and less protection for consumers," says Liz Figueroa, the California state senator who authored SB 27, in an E-mail interview.

"California continues to lead the nation in protecting consumer privacy, and I don't intend to give up our leadership role. Frankly, I wouldn't trust my own privacy, or anyone else's, to (Texas Congressman) Tom Delay and President Bush."

Even so, DoubleClick's privacy officer Smith argues that many of the problems being addressed legislatively already are illegal. "Maybe we should be talking more about enforcing the laws that are already on the books," he says, "particularly in a state like California, which probably has some of the most comprehensive consumer protection statutes."

As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.